再保险:CVE ID语法——寻求拓展建议

我们(微软)将提及这周二发布补丁网络直播谢谢,伊丽莎白·斯科特- - - - - - - - - - -从原始信息:owner-cve-editorial-board-list@lists.mitre.org [mailto: owner-cve-editorial-board-list@lists.mitre.org]代表威廉姆斯,詹姆斯·K发送:星期三,4月2日16点至2014:cve-editorial-board-list (cve-editorial-board-list@lists.mitre.org)主题:RE: CVE ID语法——寻求拓展建议你好,*后BugTraq和充分揭示邮件列表。*问Secunia PacketStorm NIST, CERT,国防部等特殊公告在他们的网站上。*促进在防御和黑帽。要求实现者宣布合规成就是一个好主意。我们很乐意宣布我们的客户群。网页将是最好的。感谢和问候,肯·威廉姆斯CA技术总监,产品漏洞响应团队- - - - - - - - - - -从原始信息:Ken.Williams@ca.com owner-cve-editorial-board-list@lists.mitre.org [mailto: owner-cve-editorial-board-list@lists.mitre.org]代表Steven m . Christey发送:星期三,4月2日2014 9:02点到:cve-editorial-board-list@lists.mitre.org主题:CVE ID语法——寻求推广建议,近几个月来,斜接一直致力于公共通信CVE ID语法变化。我们想建议编辑部如何进一步扩大我们的宣传和教育公众。1)我们为实现者找到公布更详细的技术指导和解决问题相关的语法变化:http://cve.mitre.org/cve/identifiers/tech-guidance.html这个页面包含一些广泛的测试数据,以便实现可以有信心,他们已经足够解决ID语法。例如,我们有许多有效的标识符列表可以显示解析问题(如CVE - 2014 - 2147483648引发32位表示问题),和数以百计的无效的标识符,其中一些是直接来自现实世界的CVE网站的请求。2)我们也收集CVE-compatible供应商联系信息,和我们希望电子邮件不久。然而,很有可能我们的许多接触来自组织的营销方面,我们可能并不总是达到合适的技术人员。3)我们继续定期提醒公众通过cve-announce邮件列表的语法变化,Twitter和LinkedIn。4)我们已经使syntax-related代码更改自己的网站和内部流程。例如,http://cve.mitre.org/cgi - bin/cvename.cgi?name=cve - 2014 - 1012现在提供了一个自定义页面,教育消费者对潜在和ID保护块截断问题,和http://cve.mitre.org/cgi bin/cvename.cgi?name=cve - 2014 a1012提供更具体的错误信息,当CVE id是畸形的。5)我们有提到或关注的语法进行谈判,我们,特别是在过去一年,并将继续这样做。我们也在考虑提供网络研讨会。尽管有这些努力,有迹象表明我们没有达到大家谁需要处理变化,尤其是CVE-compatible或CVE-using产品的开发人员。似乎也没有新闻感兴趣,语法变化可能被视为“旧闻”。万博下载包We would like suggestions from the Board about how we can reach the right people. For example: * Are there Board members who are willing to announce the change and/or post educational material to their customer base? If so, what form would be the most useful - PowerPoint slides, a web page, newsletter, webinar, etc.? * Would it be effective for us to encourage implementers to announce when they have achieved "compliance" with the new syntax, and then publicize these vendors? Would this be useful in fostering some competiveness to drive organizations to a resolution? * Are there ways that we can help customers to directly engage with their vendors to ensure that the issues are addressed? We have not yet directly emphasized customers in our outreach, but they might be the most effective in contacting the right people within the vendors and getting resolution. Any other ideas or suggestions are welcome and encouraged! If there is sufficient interest or need, we could have another Editorial Board teleconference that is focused on this topic. Thank you! - Steve